When you exceed an API request quota, AWS KMS throttles the
request, that is, it rejects an otherwise valid request and returns a
ThrottlingException error like the following one. To respond, use a backoff and retry
strategy.

You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls.
(Service: AWSKMS; Status Code: 400; Error Code: ThrottlingException; Request ID: <ID>

The request quotas differ with the API operation, the AWS Region, and other factors,
such
as the CMK type.

If you are exceeding the request quota for the GenerateDataKey operation, consider
using the data key caching
feature of the AWS Encryption SDK. Reusing data keys might reduce the frequency of
your requests
to AWS KMS.

In addition to request quotas, AWS KMS uses resource quotas to ensure capacity for
all users.
For details, see Resource quotas.

Throttling is based on all requests on CMKs of all types in the Region. This total
includes requests from all principals in the AWS account, including requests from
AWS
services on your behalf.

Each request quota is calculated independently. For example, requests for the CreateKey operation have no effect on the
request quota for the CreateAlias
operation. If your CreateAlias requests are throttled, your
CreateKey requests can still complete successfully.

Although cryptographic operations share a quota, the shared quota is calculated
independently of quotas for other operations. For example, calls to the Encrypt and Decrypt operations share a request quota, but
that quota is independent of the quota for management operations, such as EnableKey. For example, in the
Europe (London) Region, you can perform 10,000 cryptographic operations on symmetric
CMKs
plus 5 EnableKey operations per second
without being throttled.

The quotas for different types of CMKs are calculated independently. Each quota applies
to
all requests for these operations in the AWS account and Region with the given key
type in
each one-second interval.

Cryptographic operations (symmetric) request rate
is the shared request quota for cryptographic operations using symmetric CMKs in an
account and region.

For example, you might be using symmetric CMKs
in an AWS Region with a shared quota of 10,000 requests per second. When you make
7,000
GenerateDataKey requests per
second and 2,000 Decrypt requests per
second, AWS KMS doesn't throttle your requests. However, when you make 9,500
GenerateDataKey requests and 1,000 Encrypt and requests per second, AWS KMS
throttles your requests because they exceed the shared quota.

For example, with a request quota of 500 operations per second, you can make 200
Encrypt requests and 100 Decrypt requests with RSA CMKs that can
encrypt and decrypt, plus 50 Sign requests
and 150 Verify requests with RSA CMKs
that can sign and verify.

For example, with a request quota of 300 operations per second, you can make 100 Sign
requests and 200 Verify requests with RSA CMKs that can sign and verify.

The quotas for different key types are also calculated independently. For example,
in
the Asia Pacific (Singapore) Region, if you use both symmetric and asymmetric CMKs,
you can make up to
10,000 calls per second with symmetric CMKs plus up to 500
additional calls per second with your RSA asymmetric CMKs, plus up to 300 additional requests per second with your ECC-based CMKs.

API requests made on your behalf

You can make API requests directly or by using an integrated AWS service that makes
API requests to AWS KMS on your behalf. The quota applies to both kinds of requests.

For example, you might store data in Amazon S3 using server-side encryption with AWS
KMS
(SSE-KMS). Each time you upload or download an S3 object that's encrypted with SSE-KMS,
Amazon S3
makes a GenerateDataKey (for uploads) or Decrypt (for downloads)
request to AWS KMS on your behalf. These requests count toward your quota, so AWS
KMS throttles
the requests if you exceed a combined total of 5,500 (or 10,000 or 30,000 depending
upon your
AWS Region) uploads or downloads per second of S3 objects encrypted with SSE-KMS.

Cross-account requests

When an application in one AWS account uses a CMK owned by a different account, it's
known as a cross-account request. For cross-account
requests, AWS KMS throttles the account that makes the requests, not the account that
owns the
CMK. For example, if an application in account A uses a CMK in account B, the CMK
use applies
only to the quotas in account A.

Custom key store quota

AWS KMS custom key stores support only symmetric CMKs. The cryptographic operations
that use
the CMKs in a custom key store share a
request quota of 1,800 operations per second for each custom key store. However, not
all
operations use the quota equally. The GenerateDataKey,
GenerateDataKeyWithoutPlaintext, and GenerateRandom operations use
approximately three times as much of the per-second quota as the Encrypt,
Decrypt, and ReEncrypt operations.

For example, if you are requesting only Encrypt and Decrypt
operations, you can perform approximately 1,800 operations per second. If, instead,
you
request repeated GenerateDataKey operations, your performance might be closer to
600 operations per second. For applications patterns that consist of roughly equal
numbers of
GenerateDataKey and Decrypt operations, you can expect about 1,200
operations per second.

Unlike other AWS KMS quotas, the custom key store quota is not adjustable. You cannot
increase it by using Service Quotas or by creating a case in AWS Support.

Note

If the AWS CloudHSM cluster that is associated with the custom key store is processing
numerous
commands, including those unrelated to the custom key store, you might get an AWS
KMS
ThrottlingException at a lower-than-expected rate. If this occurs, lower your
request rate to AWS KMS, reduce the unrelated load, or use a dedicated AWS CloudHSM
cluster for your
custom key store.

Request quotas for each AWS KMS API operation

This table lists the Service Quotas quota code and
the default value for each AWS KMS request quota.

Quota name

Default value (per second)

Cryptographic operations (symmetric) request rate

Applies to:

Decrypt

Encrypt

GenerateDataKey

GenerateDataKeyWithoutPlaintext

GenerateRandom

ReEncrypt

These shared quotas vary with the AWS Region and the type of CMK used in the
request. Each quota is calculated separately.